Day 25 of 60
·
Dynamic, fuzz & dynamic security
Memory / undefined-behavior sanitisers
In C, C++, or unsafe Rust, the bugs that don't crash deterministically are the ones that crash in production. Sanitisers trap them at the moment of misuse, not three weeks later.
ProblemMemory bugs in C/C++/unsafe Rust that don't crash deterministically.
How it works
Compile-time instrumentation that traps on use-after-free, buffer overflow, data races, undefined behavior. Run tests under sanitiser builds.
What it catches
Memory-safety bugs invisible to ordinary tests. For unsafe languages, this is the floor, not optional past Medium.
Tools
AddressSanitizer · OSS Valgrind · OSS MemorySanitizer · OSS UBSan · OSS
Verdict by project size
Small
Skip
Medium
Rec
Large
Must
Extra-large
Must
Cost
| Project size | Setup | Maint / mo | Tool / mo | CI / run |
|---|---|---|---|---|
| Small <10k LOC | 4h | 0.5h | $0 | +1m |
| Medium 10–100k LOC | 2d | 3h | $0 | +5m |
| Large 100k–1M LOC | 8d | 15h | $0 | +15m |
| Extra-large >1M LOC | 25d | 60h | $0 | +40m |
Setup = engineer-days to first useful run ·
Maint = engineer-hours / month at steady state ·
Tool = out-of-pocket $ / month ·
CI = minutes added (or saved) per pipeline run
Lifecycle & ownership
When in lifecycle
Build Test
Per merge · Runs after merge to main; nightly heavy jobs.
Who owns it
Security / AppSec
SAST, DAST, threat modelling
Collaborates with: Developer
Reference implementations
-
Google Sanitizers wiki
AddressSanitizer setup and examples for memory-safety validation.
-
LLVM AddressSanitizer docs
Compiler-supported memory error detection with build and runtime examples.
-
UndefinedBehaviorSanitizer docs
Runtime checks for undefined behavior in C and C++.
Quick check
AddressSanitizer / UBSan / MemorySanitizer are the floor for which kind of project?
One question. Pick the best answer. Your streak is saved locally on this device.
Save the lesson
Download SVG ↓
Screenshot for a 1:1, drop it in Slack, or download the SVG.